I can't seem to get some of our anon relays working correctly.
I think it's the same issue as DNSCrypt/dnscrypt-proxy#1578 and DNSCrypt/dnscrypt-proxy#1346, with encrypted-dns as the server, dnscrypt-proxy (latest) as the client.
I get the "couldn't be reached anonymously" warning when I try scaleway-fr via our Switzerland relay @ sdns://gQ84MS4xNy4zMS4zNDo0NDM, but when I try our Latvia one @ sdns://gRMxMDkuMjQ4LjE0OS4xMzM6NDQz it works fine. If I turn on debugging I get that "[DEBUG] [scaleway-fr] drops fragmented queries" mentioned in DNSCrypt/dnscrypt-proxy#1346

That's weird though because I can't think of any reason why fragmentation would be happening. The two servers are almost identical. Both have the same encrypted-dns version, same config (aside from different local/external/upstream IPs [all local IPs on the same server]), same kernel, same OS, same sysctl.conf, same iptables ruleset (cept different IPs). Ethernet driver is different (e1000e and r8169) since different NIC brands, but I don't think that's causing this. ifconfig shows the MTU and txqueuelen is the same for both. I even tried tcpdump on both servers (filtering out my ip) and I can't see any significant difference between the two UDP streams.

There probably is some UDP fragmentation going on somewhere, or the code that's detecting fragmentation isn't doing that correctly, because if I try the Switzerland and "force tcp = true" in the client's dnscrypt-proxy.toml, it relays for scaleway-fr correctly.

I dunno what else to try :-(

Hello !

I wanted to update a test node to the latest release and noticed that I couldn't extract the pre-built binary, because of:

$ tar jxvf encrypted-dns_0.9.1_linux-x86_64.tar.bz2
bzip2: (stdin) is not a bzip2 file.
tar: Child returned status 2
tar: Error is not recoverable: exiting now

$ file encrypted-dns_0.9.1_linux-x86_64.tar.bz2
encrypted-dns_0.9.1_linux-x86_64.tar.bz2: XZ compressed data, checksum CRC64

Would it be possible to either, switch to .xz extension, or make sure it is using bzip2 ? 😄

Thank you for your great projects !

The Debian package for 0.9.1 requires libc6 >= 2.31 where previously it required >= 2.27.

I'm running the stable "buster" release of Debian (10.10) which currently supplies packages for glibc 2.28, so upgrading to 0.9.1 using the provided Debian package is not possible on the current stable platform. I know there aren't RPM's but even CentOS 8 is only at 2.28 so it seems like the requirement for glibc >= 2.31 might be a little high when running on stable systems.

Any chance of lowering the glibc requirement back down to 2.27 or 2.28 so the deb will install on the stable buster release?

Thanks!

Okay so I have installed this via rust "option 2" method. Due to the lack of setup instructions, I am at a loss for how to start/stop this as a service.

These are the suami and charis stamps as relays:
suami -> sdns: // gRE1MS4xNTguMTA2LjQyOjQ0Mw
charis -> sdns: // gRE1MS4xNS4xMDYuMTc2OjQ0Mw

Not if you need to be included in the server file.
Then I have a doubt. Is this syntax correct?

routes = [
{ via=['sdns://gRE1MS4xNS4xMDYuMTc2OjQ0Mw'], via=['sdns://gRE1MS4xNTguMTA2LjQyOjQ0Mw'] }
]

How do i check that everything is working? The servers are for sure, but I would like to check as a relay and that the client should go as it should.

Hiya
is there a windows version? and a tutorial? I have windows not linux

@jedisct1

[INFO ] DNS Stamp for Anonymized DNS relaying: sdns://xxxxxxxxxxxxxxxxxxxxx
Killed

Quit when the program's running.

I have Unbound configured and running successfully on a Raspberry Pi (4).

Could you provide some instructions to deploy Encrypted DNS Server to a Raspberry Pi?

Hi There,

how can I access the Dashboard?

It seems the original TTL of records is cached and returned identical in each subsequent query response

Meaning, a record with a 24-hour TTL that was cached 23 hours ago and is queried now, looks to the client as if it will be fresh for the next 24 hours, even though it is only fresh for another hour.

Is this intentional? It's unlike every piece of DNS software I've used before, which update the ttl in each query so that downstream caches will expire at the same time as its own cache does

Hello!
I can’t run it in any way.
Ubuntu 18.04:
root@dns:~/encrypted-dns-linux-x86_64# sh encrypted-dns encrypted-dns: 1: encrypted-dns: �ELF: not found encrypted-dns: 4: encrypted-dns: Syntax error: Unterminated quoted string

root@dns:~/encrypted-dns-linux-x86_64# bash  encrypted-dns
encrypted-dns: encrypted-dns: cannot execute binary file

How can I run the Application as as service when I boot up the Machine?

Hello,

Currently running an encrypted-dns-server directly as suggested here: jedisct1/dnscrypt-server-docker#37
Works flawlessly, thank you jedisct1.

I use an upstream server of OpenDNS.

My question is, is there a way to disable caching so that all requests are forwarded to OpenDNS?

Adding cache=false to the config file did not work for me and settings cache size to 0 is not allowed, a minimum of 3 is required.

Is it possible to disable caching?

How can I get DNS Stamp when daemonize is true?

Version:

• dnscrypt-proxy-2.0.29 beta 2
• encrypted-dns 0.3.6

./dnscrypt-proxy
[2019-10-20 22:49:22] [NOTICE] dnscrypt-proxy 2.0.29-beta.2
[2019-10-20 22:49:22] [NOTICE] Network connectivity detected
[2019-10-20 22:49:22] [NOTICE] Source [public-resolvers.md] loaded
[2019-10-20 22:49:22] [NOTICE] Source [relays.md] loaded
[2019-10-20 22:49:22] [NOTICE] Anonymized DNS: routing [dnscrypt.ca-2] via [anon-suami anon-tiarap]
[2019-10-20 22:49:22] [NOTICE] Anonymized DNS: routing [cs-fi] via [anon-ibkturm anon-tiarap]
[2019-10-20 22:49:22] [NOTICE] Anonymized DNS: routing [jp.tiar.app] via [anon-ibkturm anon-tiarap]
[2019-10-20 22:49:22] [NOTICE] Anonymized DNS: routing [id-gmail] via [anon-charis anon-tiarap]
[2019-10-20 22:49:22] [NOTICE] Anonymized DNS: routing [developerli-de] via [anon-kama anon-tiarap]
[2019-10-20 22:49:22] [NOTICE] Firefox workaround initialized
[2019-10-20 22:49:22] [NOTICE] Now listening to 127.0.0.1:5003 [UDP]
[2019-10-20 22:49:22] [NOTICE] Now listening to 127.0.0.1:5003 [TCP]
[2019-10-20 22:49:22] [NOTICE] Now listening to [::1]:5003 [UDP]
[2019-10-20 22:49:22] [NOTICE] Now listening to [::1]:5003 [TCP]
[2019-10-20 22:49:22] [NOTICE] [dnscrypt.ca-2] OK (DNSCrypt) - rtt: 487ms
[2019-10-20 22:49:22] [NOTICE] [cs-fi] OK (DNSCrypt) - rtt: 184ms
[2019-10-20 22:49:25] [WARNING] Unable to get a certificate via relay [174.138.29.175], retrying over a direct connection
[2019-10-20 22:49:25] [NOTICE] [jp.tiar.app] OK (DNSCrypt) - rtt: 72ms
[2019-10-20 22:49:28] [WARNING] Unable to get a certificate via relay [174.138.29.175], retrying over a direct connection
[2019-10-20 22:49:28] [NOTICE] [id-gmail] OK (DNSCrypt) - rtt: 13ms
[2019-10-20 22:49:28] [NOTICE] [developerli-de] OK (DNSCrypt) - rtt: 333ms
[2019-10-20 22:49:28] [NOTICE] Sorted latencies:
[2019-10-20 22:49:28] [NOTICE] -    13ms id-gmail
[2019-10-20 22:49:28] [NOTICE] -    72ms jp.tiar.app
[2019-10-20 22:49:28] [NOTICE] -   184ms cs-fi
[2019-10-20 22:49:28] [NOTICE] -   333ms developerli-de
[2019-10-20 22:49:28] [NOTICE] -   487ms dnscrypt.ca-2
[2019-10-20 22:49:28] [NOTICE] Server with the lowest initial latency: id-gmail (rtt: 13ms)
[2019-10-20 22:49:28] [NOTICE] dnscrypt-proxy is ready - live servers: 5

The server that retrying using direct connection serve more than one certificate:

$ drill -p 443 @174.138.21.128 txt 2.dnscrypt-cert.dns.tiar.app
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 31780
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; 2.dnscrypt-cert.dns.tiar.app.	IN	TXT

;; ANSWER SECTION:
2.dnscrypt-cert.dns.tiar.app.	0	IN	TXT	"DNSC\000\002\000\000lj\254=\139\020g!h\028\226\132\127/\145\027\210\014I\225\194^Z9V\233\146\235k\171\182\145\153\020\206\233\2178u\251Y\169/9\249\221\240\244\139\133\2253y`\131K\237Ff\247~\206R\010;\127\235k\238\182\146\178\131\183\251l\243lGv\177\226\\\134\019\134H\129\157\130\250z\173\134`A<\127\235k\238\182\146\178]\172?s]\172?s]\173\144\243"
2.dnscrypt-cert.dns.tiar.app.	0	IN	TXT	"DNSC\000\001\000\000\176\199D\211L\196\152\158u\151\155\155\003\146\132/\244\249\027\146\135\228\171\2487\148\175\207@\145mWs\169z|P\218\197?d\194\162\006\205\028./\210\186m\010\139r\230\154\134\201\011\005W\180I\008;\127\235k\238\182\146\178\131\183\251l\243lGv\177\226\\\134\019\134H\129\157\130\250z\173\134`A;\127\235k\238\182\146\178]\172?s]\172?s]\173\144\243"

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 4 msec
;; SERVER: 174.138.21.128
;; WHEN: Sun Oct 20 22:55:19 2019
;; MSG SIZE  rcvd: 320

Hello,

So I managed to get my DNSCrypt server up and running and it forwards all the requests to OpenDNS. Works great with my broadband connection. Thank you @jedisct1.

If I do not use DNSCrypt and used any simple DNS service, my mobile's ISP (Vodafone) would leak all the DNS requests.

However, even after setting up a DNSCrypt server and using my mobile's internet via hotspot, all DNS requests are being leaked. Same issue does not occur when using my Broadband Connection over the same WiFi adapter.

I have disabled fall back DNS servers on the client side. I have set the DNS to use on both wired and wireless adapter to 127.0.0.1, (although both were tested over WiFi).

I don't get what I am doing wrong. How is my mobile's ISP (Vodafone) is able to leak DNS entries sent over DNSCrypt?

EDIT:
The server is being hosted on a DigitalOcean VPS.

It would be nice to have an option to allow passing through the remote IP address as an EDNS subnet option (/32). There should be an additional config parameter to say if there is an existing EDNS subnet option in the packet should it be replaced or passed through. That way we can easily get proper details about the source on the backend dns server in case we want to do custom rules by IP. Thanks!

Hiya

can someone please port this to Microsoft Windows

 listen_addrs = [
     { local = "0.0.0.0:1443",    external = "a.a.a.a:1443" },
     { local = "[::]:1443",       external = "[bb:bb::1]:1443" }
 ]

I tried starting the program with above code, it always stops with [ERROR] Unable to listen to the requested IPs and ports: [[::]:1443/TCP: Address already in use (os error 98)].

It works perfectly fine when I change the port values for either one of ipv4/ipv6 address.

Hey man,

Thanks for your nice work and good readme.
I also want to provide a encrypted DNS Server, also with DOH and maybe implementing if possible quic.
Also after the latest release from Cloudflare when they announced "odoh (Oblivious DNS over HTTPS) https://blog.cloudflare.com/oblivious-dns/
I think this is gonna also a big release for privacy.
so since Adguard is supporting DOH,QUIC,TLS and DNSCrypt im considering to use that as server. But im not trusting them all in all, just my feeling.

Now to the question. I want to use the DNS Server also as VPN Server with WireGuard Protocol for like 5-10 if they're using mobile internet or using public hotspots.
So for my research should it possible to run that on one server/ip.
The DNS-Resolver itself will be a public useable non logging server with 10Gbits Uplink located in Germany.

Do you have some expierence with that?
Why I need this VPN ? Mostly sometimes a mobile device or in the city, but mostly I want to introduce friends and Family a easy solution to improve their security all in all.
I gonna setup today the encrypted dns with the doh proxy and Nginx.

If there I a way to implement the newest oDOH Protocol which Cloudflare introduced would be also nice, reads like the more future.

Thanks for your work so far, im excited to test this the coming days!

regards.

Hey, thanks for that project!

It would be awesome if we can use a Kubernetes secret to store the state file. See: https://kubernetes.io/docs/concepts/configuration/secret/

As i see it it's only updated every 8 hours, right? That would be no problem with k8s secrets.. What if i boot 10 instances of the same container? Are they all updating the state file?

The readme currently says:

The proxy requires a recursive DNS resolver, such as Knot, PowerDNS or Unbound.

Is it expected to remain this way? I really like the idea of a single self-contained dependency-free executable that provides both DNSCrypt and DoH, but would not want the upstream connection to be provided or even suggested. I personally like Unbound, but would like the continued freedom to change [or not change] that based on my own evaluation. Does that make sense?

Your dependency file specified a branch or reference for https://github.com/hyperium/hyper, but Dependabot couldn't find it at the project's source. Has it been removed?

View the update logs.

When use IPv6 relay with IPv6 dnscrypt-server, no response from the relay, dnscrypt-proxy working fine without IPv6 relays.

[2019-10-19 15:46:38] [NOTICE] dnscrypt-proxy 2.0.29-beta.1
[2019-10-19 15:46:38] [NOTICE] Network connectivity detected
[2019-10-19 15:46:38] [NOTICE] Source [public-resolvers.md] loaded
[2019-10-19 15:46:38] [NOTICE] Anonymized DNS: routing [adguard-dns-ipv6] via [sdns://gSBbMjQwMDo2MTgwOjA6ZDA6OjVmNzM6NDAwMV06MTQ0Mw]
[2019-10-19 15:46:38] [NOTICE] Firefox workaround initialized
[2019-10-19 15:46:38] [NOTICE] Now listening to 127.0.0.1:5003 [UDP]
[2019-10-19 15:46:38] [NOTICE] Now listening to 127.0.0.1:5003 [TCP]
[2019-10-19 15:46:38] [NOTICE] Now listening to [::1]:5003 [UDP]
[2019-10-19 15:46:38] [NOTICE] Now listening to [::1]:5003 [TCP]
[2019-10-19 15:46:38] [NOTICE] [adguard-dns-ipv6] OK (DNSCrypt) - rtt: 0ms
[2019-10-19 15:46:38] [NOTICE] Server with the lowest initial latency: adguard-dns-ipv6 (rtt: 0ms)
[2019-10-19 15:46:38] [NOTICE] dnscrypt-proxy is ready - live servers: 1

drill -p 5003 @::1 google.com
Error: error sending query: Could not send or receive, because of network error

The last line of this page states that DNS relay is supported, but I do n’t know how to use this thing. I ’m a novice, I ca n’t use it. Can you give me a tutorial?

Hello,

First, I want to say thank you and all the contributors for all these great projects for DNSCrypt. I have been a long time user and now working on launching a couple of servers for the community.

I was able to successfully compile encrypted-dns-server from source and run it as a systemd service. However, I am seeing 2.dnscrypt-cert." prefix is included in my provider name, even though that was not set by me.

In the toml file, I specified my provider name as: provider_name = "uncloudus.nogoogle.privacydns"

When the service runs and it echos the provider name, it shows as: Provider name: 2.dnscrypt-cert.uncloudus.nogoogle.privacydns. And the stamp generated also shows that the provider name includes "2.dnscrypt-cert." prefix.

My question is: how do I remove "2.dnscrypt-cert." prefix from provider name? Is it a default that I can change through encrypted-dns-server settings? Or would I have to use the stamp generator (https://dnscrypt.info/stamps) to generate a new stamp with the provider name I choose?

Thanks

Hi Frank,
I read about your new project. I would like to be able to convert the two servers that I keep to the new encrypted-dns-server.. For now, I use the container you published on Docker Hub, which uses dnscrypt-wrapper. Not having technical knowledge on DNS servers, I ask you if you can create a container that replaces dnscrypt-wrapper with encrypted-dns-server.
Thanks and good job.

Hey @jedisct1,
it would be nice to checking the source or the grafana dashboard here. Would you mind?

Max

I'm seeing the same issue as mentioned in #69.

24 hours after starting encrypted-dns-server with daemonize=true, starting dnscrypt-proxy on the client with the relay set results in No useable certificate found.

Checked clocks are in sync using ntpd. Tried both UTC and local timezone.

Issue occurs on two VPS servers with different providers, both running 64-bit Debian 11 using the precompiled .deb package.

Is there any windows pre-compiled binaries for this project?
Is it being being developed along-side dnscrypt-proxy?

How do i submit a dnscrypt-server running to resolvers btw?

Add id.server and hostname.bind due RFC4892.

Hello,
I've upgraded from 0.3.23 to 0.9.1 on a mostly idling virtual server running debian 11 with a custom kernel, 2x Intel cpu vcores and 1GB RAM.

The server used to be stable and running smoothly until the upgrade.
Mem usage went from around 19% to around 52% and up for no obvious reasons.

Some porbably not really useful syslog entries can be found below :
<...> oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),task=encrypted-dns,pid=1719
<...> Out of memory: Killed process 1719 (encrypted-dns) total-vm:1212052kB, anon-rss:573912kB, file-rss:0kB, shmem-rss:0kB, UID: pgtables:1520kB oom_score_adj:0

On the other hand, the upgrade had no impact on another virtual server running with only 512MB RAM and 1 vcore ( same OS, kernel and dns/encrypted-dns config as the other).

Have you already had similar issues reported?
Any ideas why this might be happening?

I've downgraded to 0.3.23, thigs are back to normal and currently monitoring.

Thanks.

# HELP encrypted_dns_client_queries Number of client queries received
# TYPE encrypted_dns_client_queries gauge

client_queries (gauge) = client_queries_udp (counter) + client_queries_tcp (counter)

The total client queries type should be counter.

Merry Christmas!

Hi Frank,
about the last bars on issue # 2, I inform you that I have just updated the docker image to the baeeed974b5e beta version.
In fact the dimensions have been reduced considerably, but I still notice oddities in the log. For example, there is a reference to dnscrypt-wrapper.
docker-log.txt

How can I correctly set up a load balanced dnscrypt server?

I have set up multiple instances of encrypted-dns, all sharing the same state file. However, it appears that the DNS stamp changes upon booting up with the setup.

I'd like to load balance with all of the instances keeping the same DNS stamp and same public IP address.

Show too many incoming connections?

Hi, I didn't see the log file generation during runtime. Is it a configuration error?

Hi, I updated suami with the new docker image. I added -A to the init. In fact a stamp was created to use suami as a relay. Unfortunately, the server has become unreachable as a DNS server.

Hi Frank,

I notice that you have pre-compiled binaries but can you update the release on crates.io please? https://crates.io/crates/encrypted-dns it's still on 0.3.11

Thanks

I use netdata for the telemetry of the servers in their entirety. But I read about Prometheus. How is it enabled on the servers and how can it be consulted?

Simply toggling the config entry daemonize to true means the metrics endpoint is no longer exposed.

OS: FreeBSD 12.1
Rust: 1.46.0

I setup encrypted-dns and now I'm trying to do access control using query_meta. It doesn't seem to work, am I doing it right?
encrypted-dns.toml has:
tokens = ["abc123"]
remote dnscrypt-proxy.toml has:
query_meta = ["token:abc123"]

This yields me SERVFAIL:

$ host -v cnn.com
Trying "cnn.com"
Host cnn.com not found: 2(SERVFAIL)
Received 25 bytes from X.X.X.X#53 in 65 ms

Please add edns_client_subnet from dnscrypt-proxy to here for all upstream queries, because without it some CDN have much latency.

Gives out the "Failed to generate URL to download artifact." error

I also tried to compile it myself, cargo doesn't show any error but when I try to run the compiled binaries it gives out Error: No such file or directory (os error 2)

I did chmod +x beforehand, so not sure what's causing that issue, tried on both inux mint and an ubuntu server.

Any help is appreciated. Thanks

Okay so apparently I'm dumb, I ran strace on the binary to check what is wrong what it turns out its just missing encrypted-dns.toml , but no error being printed. After I put encrypted-dns.toml in the same directory it works like a charm.

Hi! Thanks for this awesome project! I'm trying to build it on a Debian 10, I've installed rust-nightly channel and "apt install build-essentials". I'm getting the following error:

root@dns:~# cargo install encrypted-dns
    Updating crates.io index
  Downloaded encrypted-dns v0.1.4
  Downloaded 1 crate (30.4 KB) in 4.08s
  Installing encrypted-dns v0.1.4
  Downloaded byteorder v1.3.2
  Downloaded failure v0.1.5
  Downloaded net2 v0.2.33
  Downloaded log v0.4.8
  Downloaded serde_derive v1.0.101
  Downloaded clap v2.33.0
  Downloaded toml v0.5.3
  Downloaded rand v0.7.2
  Downloaded env_logger v0.6.2
  Downloaded parking_lot v0.9.0
  Downloaded serde v1.0.101
  Downloaded daemonize-simple v0.1.2
  Downloaded jemallocator v0.3.2
  Downloaded coarsetime v0.1.11
  Downloaded clockpro-cache v0.1.8
  Downloaded serde-big-array v0.1.5
  Downloaded dnsstamps v0.1.1
  Downloaded derivative v1.0.3
  Downloaded siphasher v0.3.1
  Downloaded futures-preview v0.3.0-alpha.18
  Downloaded privdrop v0.3.3
  Downloaded libsodium-sys-stable v0.0.18
  Downloaded atty v0.2.13
  Downloaded tokio v0.2.0-alpha.4
  Downloaded ansi_term v0.11.0
  Downloaded tokio-net v0.2.0-alpha.4
  Downloaded unicode-width v0.1.6
  Downloaded proc-macro2 v0.4.30
  Downloaded syn v0.15.44
  Downloaded parking_lot_core v0.6.2
  Downloaded quote v1.0.2
  Downloaded textwrap v0.11.0
  Downloaded syn v1.0.5
  Downloaded futures-core-preview v0.3.0-alpha.18
  Downloaded lazy_static v1.4.0
  Downloaded slab v0.4.2
  Downloaded quote v0.6.13
  Downloaded futures-channel-preview v0.3.0-alpha.18
  Downloaded humantime v1.3.0
  Downloaded getrandom v0.1.12
  Downloaded rand_chacha v0.2.1
  Downloaded cfg-if v0.1.9
  Downloaded regex v1.3.1
  Downloaded rustc_version v0.2.3
  Downloaded term_size v0.3.1
  Downloaded libc v0.2.62
  Downloaded lock_api v0.3.1
  Downloaded termcolor v1.0.5
  Downloaded failure_derive v0.1.5
  Downloaded rand_core v0.5.1
  Downloaded base64 v0.10.1
  Downloaded futures-sink-preview v0.3.0-alpha.18
  Downloaded proc-macro2 v1.0.4
  Downloaded backtrace v0.3.37
  Downloaded bitflags v1.1.0
  Downloaded futures-util-preview v0.3.0-alpha.18
  Downloaded strsim v0.8.0
  Downloaded futures-io-preview v0.3.0-alpha.18
  Downloaded vec_map v0.8.1
  Downloaded futures-executor-preview v0.3.0-alpha.18
  Downloaded unicode-xid v0.1.0
  Downloaded unsafe_unwrap v0.1.0
  Downloaded quick-error v1.2.2
  Downloaded memchr v2.2.1
  Downloaded semver v0.9.0
  Downloaded unicode-xid v0.2.0
  Downloaded cc v1.0.45
  Downloaded spin v0.5.2
  Downloaded num_cpus v1.10.1
  Downloaded futures-join-macro-preview v0.3.0-alpha.18
  Downloaded iovec v0.1.2
  Downloaded mio v0.6.19
  Downloaded pin-utils v0.1.0-alpha.4
  Downloaded jemalloc-sys v0.3.2
  Downloaded pkg-config v0.3.16
  Downloaded tokio-executor v0.2.0-alpha.4
  Downloaded proc-macro-nested v0.1.3
  Downloaded libflate v0.1.27
  Downloaded scopeguard v1.0.0
  Downloaded aho-corasick v0.7.6
  Downloaded regex-syntax v0.6.12
  Downloaded futures-select-macro-preview v0.3.0-alpha.18
  Downloaded mio-uds v0.6.7
  Downloaded tokio-codec v0.2.0-alpha.4
  Downloaded tokio-io v0.2.0-alpha.4
  Downloaded tokio-sync v0.2.0-alpha.4
  Downloaded tokio-fs v0.2.0-alpha.4
  Downloaded tar v0.4.26
  Downloaded thread_local v0.3.6
  Downloaded backtrace-sys v0.1.31
  Downloaded synstructure v0.10.2
  Downloaded rustc-demangle v0.1.16
  Downloaded tracing-core v0.1.6
  Downloaded minisign-verify v0.1.3
  Downloaded crossbeam-utils v0.6.6
  Downloaded isahc v0.7.3
  Downloaded bytes v0.4.12
  Downloaded nix v0.15.0
  Downloaded tokio-timer v0.3.0-alpha.4
  Downloaded tokio-macros v0.2.0-alpha.4
  Downloaded tracing v0.1.9
  Downloaded c2-chacha v0.2.2
  Downloaded smallvec v0.6.10
  Downloaded proc-macro-hack v0.5.9
  Downloaded chrono v0.4.9
  Downloaded curl v0.4.24
  Downloaded take_mut v0.2.2
  Downloaded crc32fast v1.2.0
  Downloaded crossbeam-channel v0.3.9
  Downloaded xattr v0.2.2
  Downloaded void v1.0.2
  Downloaded fs_extra v1.1.0
  Downloaded fnv v1.0.6
  Downloaded semver-parser v0.7.0
  Downloaded sluice v0.4.2
  Downloaded crossbeam-deque v0.7.1
  Downloaded crossbeam-queue v0.1.2
  Downloaded adler32 v1.0.4
  Downloaded http v0.1.18
  Downloaded curl-sys v0.4.21
  Downloaded filetime v0.2.7
  Downloaded rle-decode-fast v1.0.1
  Downloaded ppv-lite86 v0.2.5
  Downloaded num-integer v0.1.41
  Downloaded time v0.1.42
  Downloaded num-traits v0.2.8
  Downloaded openssl-probe v0.1.2
  Downloaded openssl-sys v0.9.49
  Downloaded socket2 v0.3.11
  Downloaded crossbeam-epoch v0.7.2
  Downloaded autocfg v0.1.6
  Downloaded itoa v0.4.4
  Downloaded libz-sys v1.0.25
  Downloaded tracing-attributes v0.1.3
  Downloaded arrayvec v0.4.11
  Downloaded memoffset v0.5.1
  Downloaded nodrop v0.1.13
  Downloaded libnghttp2-sys v0.1.2
   Compiling libc v0.2.62
   Compiling proc-macro2 v1.0.4
   Compiling unicode-xid v0.2.0
   Compiling proc-macro2 v0.4.30
   Compiling getrandom v0.1.12
   Compiling semver-parser v0.7.0
   Compiling cc v1.0.45
   Compiling autocfg v0.1.6
   Compiling cfg-if v0.1.9
   Compiling syn v1.0.5
   Compiling spin v0.5.2
   Compiling unicode-xid v0.1.0
   Compiling pkg-config v0.3.16
   Compiling byteorder v1.3.2
   Compiling ppv-lite86 v0.2.5
   Compiling syn v0.15.44
   Compiling futures-core-preview v0.3.0-alpha.18
   Compiling proc-macro-nested v0.1.3
   Compiling memchr v2.2.1
   Compiling arrayvec v0.4.11
   Compiling log v0.4.8
   Compiling crc32fast v1.2.0
   Compiling nodrop v0.1.13
   Compiling curl v0.4.24
   Compiling futures-io-preview v0.3.0-alpha.18
   Compiling fnv v1.0.6
   Compiling itoa v0.4.4
   Compiling openssl-probe v0.1.2
   Compiling pin-utils v0.1.0-alpha.4
   Compiling scopeguard v1.0.0
   Compiling isahc v0.7.3
   Compiling slab v0.4.2
   Compiling take_mut v0.2.2
   Compiling fs_extra v1.1.0
   Compiling bitflags v1.1.0
   Compiling adler32 v1.0.4
   Compiling smallvec v0.6.10
   Compiling rle-decode-fast v1.0.1
   Compiling nix v0.15.0
   Compiling serde v1.0.101
   Compiling failure_derive v0.1.5
   Compiling regex-syntax v0.6.12
   Compiling void v1.0.2
   Compiling rustc-demangle v0.1.16
   Compiling unicode-width v0.1.6
   Compiling serde-big-array v0.1.5
   Compiling quick-error v1.2.2
   Compiling strsim v0.8.0
   Compiling ansi_term v0.11.0
   Compiling unsafe_unwrap v0.1.0
   Compiling termcolor v1.0.5
   Compiling vec_map v0.8.1
   Compiling siphasher v0.3.1
   Compiling semver v0.9.0
   Compiling libnghttp2-sys v0.1.2
   Compiling backtrace-sys v0.1.31
   Compiling num-traits v0.2.8
   Compiling num-integer v0.1.41
   Compiling lazy_static v1.4.0
   Compiling openssl-sys v0.9.49
   Compiling libz-sys v1.0.25
   Compiling curl-sys v0.4.21
   Compiling futures-sink-preview v0.3.0-alpha.18
   Compiling lock_api v0.3.1
   Compiling jemalloc-sys v0.3.2
   Compiling humantime v1.3.0
   Compiling rustc_version v0.2.3
   Compiling c2-chacha v0.2.2
   Compiling crossbeam-utils v0.6.6
   Compiling tracing-core v0.1.6
   Compiling thread_local v0.3.6
error: failed to compile `encrypted-dns v0.1.4`, intermediate artifacts can be found at `/tmp/cargo-installQAG2Nt`

Caused by:
  failed to run custom build command for `openssl-sys v0.9.49`

Caused by:
  process didn't exit successfully: `/tmp/cargo-installQAG2Nt/release/build/openssl-sys-f7b4adcc8898418b/build-script-main` (exit code: 101)
--- stdout
cargo:rustc-cfg=const_fn
cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR
X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR unset
cargo:rerun-if-env-changed=OPENSSL_LIB_DIR
OPENSSL_LIB_DIR unset
cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR
X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR unset
cargo:rerun-if-env-changed=OPENSSL_INCLUDE_DIR
OPENSSL_INCLUDE_DIR unset
cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR
X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR unset
cargo:rerun-if-env-changed=OPENSSL_DIR
OPENSSL_DIR unset
run pkg_config fail: "Failed to run `\"pkg-config\" \"--libs\" \"--cflags\" \"openssl\"`: No such file or directory (os error 2)"

--- stderr
thread 'main' panicked at '

Could not find directory of OpenSSL installation, and this `-sys` crate cannot
proceed without this knowledge. If OpenSSL is installed and this crate had
trouble finding it,  you can set the `OPENSSL_DIR` environment variable for the
compilation process.

Make sure you also have the development packages of openssl installed.
For example, `libssl-dev` on Ubuntu or `openssl-devel` on Fedora.

If you're in a situation where you think the directory *should* be found
automatically, please open a bug at https://github.com/sfackler/rust-openssl
and include information about your system as well as this message.

$HOST = x86_64-unknown-linux-gnu
$TARGET = x86_64-unknown-linux-gnu
openssl-sys = 0.9.49


It looks like you're compiling on Linux and also targeting Linux. Currently this
requires the `pkg-config` utility to find OpenSSL but unfortunately `pkg-config`
could not be found. If you have OpenSSL installed you can likely fix this by
installing `pkg-config`.

', /root/.cargo/registry/src/github.com-1ecc6299db9ec823/openssl-sys-0.9.49/build/find_normal.rs:150:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.

This is my first time trying to use the rust library, sorry if this is trivial to fix.

Hi Frank,

Thank you for this software first of all! Your hard work on dnscrypt, dnscrypt-proxy, and encrypted-dns-server are much appreciated.

I am considering switching to encrypted-dns-server from other solutions but would like to have the ability to generate the short term keys from a remote system and push them to the resolver and then tell the resolver to reload the keys.

Key generation now looks to be coupled with the server itself and then written to the state file. I don't see any options to use the server to generate and manage keys independently of running a server.

Are there any plans to implement this feature? Currently we use dnsdist with addDNSCryptBind to run a dnscrypt resolver and then custom scripts on a key server to generate certs, push them, and then use some commands to have dnsdist load the new keys.

Thanks for any information you can provide on this subject!

This error occurred after 24 hours of back-office operation and appears to have been caused by the failure to update the certificate?

During the installation on my PI3 running arch I got the following error:
error: could not compile 'nix'.

Caused by: process didn't exit successfully: 'rustc --crate-name nix /home/thebattlewolf/.cargo/registry/src/github.com-1ecc6299db9ec823/nix-0.16.1/src/lib.rs --error-format=json --json=diagnostic-rendered-ansi,artifacts --crate-type lib --emit=dep-info,metadata,link -C opt-level=3 -C panic=abort -Cembed-bitcode=no -C codegen-units=1 -C metadata=c2fedcef72f83904 -C extra-filename=-c2fedcef72f83904 --out-dir /tmp/cargo-installqCnlHo/release/deps -L dependency=/tmp/cargo-installqCnlHo/release/deps --extern bitflags=/tmp/cargo-installqCnlHo/release/deps/libbitflags-b992c00bea915fd0.rmeta --extern cfg_if=/tmp/cargo-installqCnlHo/release/deps/libcfg_if-803e53fe0a5da7b6.rmeta --extern libc=/tmp/cargo-installqCnlHo/release/deps/liblibc-69d0feabcfd726fc.rmeta --extern void=/tmp/cargo-installqCnlHo/release/deps/libvoid-cd82f05fd1dd77db.rmeta --cap-lints allow' (signal: 9, SIGKILL: kill)

Could it be that ARM is not supported?
If so will it be in the future?

I'm running as a systemd service (type=simple)
When I have daemonize = false AND metrics enabled it still bails out.

According to this commit it shouldn't: 0526aba
No problem in 0.3.19 but a problem in 0.3.20.

Error: Metrics are incompatible with daemonization - set 'daemonize = false' in the configuration file if you need metrics

I'm running chrooted

[metrics]
type = "prometheus"
listen_addr = "127.0.0.1:9104"
path = "/metrics"

Is it possible to reload domain_blacklist and undelegated_list whithout restarting the daemon?
Something like akin sending a SIGHUP just to reload the files and keep running?